Cryptosmith

Cyber and security architecture, not bitcoins

Powered by
WordPress

  • Teaching with Design Principles

    Design principles help students learn the essentials of technical design tasks. Students apply simple-sounding rules to achieve desired design features. The trick is to present students with design principles they can see in real life, understand, and apply in their own efforts. Here are my observations on how to write design principles to teach technical…

  • Grade School Crypto Videos

    This is a short, gentle two-part introduction to basic cryptographic concepts using text-based crypto examples. The videos illustrate encryption, decryption, ciphers, keys, algorithms, code cracking, cryptanalysis, and letter frequency analysis.  Full disclosure: I produced these videos over a decade ago. Now they are hosted directly on this web site. The technical details in the videos…

  • Why Signalgate Matters

    I found this in my files. I no doubt intended to publish it months ago and forgot to finish it and press the button. Senior government officials traditionally restrict defense-related conversations to special locations to prevent eavesdropping. The most secret conversations occur in places like the White House Situation Room or protected command centers in…

  • Another Telephone Phish

    A person called me on the phone a few moments ago claiming to be from US Bank. He said there was some fraud detected on my account: someone created a new checking account with my identity information. “So, you have my identity information?” I asked. “Yes,” he replied. “Can you prove who you say you…

  • Making Fun of Quantum Codebreaking

    Quantum codebreaking uses a theoretically “large” quantum computer to break secret codes. Today, quantum computers handle very tiny numbers. The most impressive examples deal with numbers less than 22. In theory, a “large” quantum computer could quickly crack codes we use every day to protect data.  I’ve been skeptical about quantum codebreaking for decades. I…

  • War Plan Chat Includes Journalist

    Journalists aren’t usually invited to online chats about US war plans. This seemed obvious until yesterday, when Atlantic editor Jeffrey Goldberg published his article about being a lurker in an online chat with US Secretaries of State, Defense, and Treasury, plus the VP and the Director of National Intelligence. The plans led to a US…

  • Clever PayPal-based Attack

    Do not call that number! This attack is brilliant. It uses a legitimate PayPal email message about a bogus payment to trick you into phoning a bogus PayPal phone number. I have received several of them this week with various names for the company sending the money request. Different emails contain different subjects and different…

  • ARPANET Maps

    Here is a set of geographical maps of the ARPANET in the 1970s and 1980s. There is also one “logical” map that focuses more on which host computers were connected where. The ARPANET was a precursor (some would say “the precursor”) to today’s Internet. It pioneered transcontinental and transoceanic digital networking, adaptive routing, modern email,…

  • Breaking Bitlocker

    It was only a matter of time before someone did this. Bitlocker is Microsoft’s technique for encrypting a desktop, laptop, or other MS Windows device. We encrypt the device to protect the contents if it is ever stolen. In theory, the only way Windows will start up if it is Bitlocked (is that really a…

  • Play the Password Game!

    A clever person has hosted a Password Game. Give it a try!

  • Leaking Secrets Under Social Pressure

    Here is a classic example of human nature: people on a gaming site argue that the site’s tanks don’t accurately reflect their capabilities. Participants post classified information to prove their point. Reporters have been following this story for almost a year on the game War Thunder. The first case appeared a couple summers ago regarding…

  • GPT and Confirmation Bias

    “Garbage in, garbage out.” In computing we’ve recited the GIGO motto since I was in diapers (Univac I and vacuum tubes were state of the art). Comfirmation bias is like GIGO: if people already know (think, guess, believe) something is true then they’re inclined to accept new evidence in its favor and reject evidence against…

  • SCI//HCS-P/SI/TK at Mar-a-Lago

    This is a brief explanation of the weird acronyms on the cover sheets that appeared in the photo of classified the FBI seized at Trump’s Mar-a-Lago home. They identify different types of classified information that might – or might not – reside beneath such a cover sheet. The traditional classification markings Confidential, Secret, and Top…

  • The Mar-a-Lago Mess

    Update: Former President Trump has been indicted under federal laws for unlawfully retaining government documents and under the Espionage Act. I’ve avoided commenting on the FBI’s discovery of classified documents at the Mar-a-Lago Club, the home of former President Donald Trump, before this. Numerous pundits have shared their opinions about Trump’s legal jeopardy, if any.…

  • The Quantum Computer Bogeyman

    Peter Gutmann of the University of Aukland recently published a parable “On the Heffalump Threat.” He pokes fun at the R&D cottage industry trying to achieve a practical quantum computer and at related efforts at “post quantum cryptography.” Security People always like to be prepared, even if the rest of us aren’t. Here’s the background:…

  • Can I auto-post to Mastodon?

    Update: My autoposting mechanism never really worked. Fortunately, WordPress.com developed an autopost mechanism that I can use through their social media settings. I’m reposting this article as part of my tests of auto-posting. In other words, my first attempt wasn’t exactly a success. It appears that I didn’t get my cron working correctly. Like lots…

  • Mastodon

    Like lots of other people, I’m looking at Mastodon as a newer, better tech-social community. I’m trying to auto-post from this site to a Mastodon ID, and I have a separate Mastodon ID that I use for conversation. @cryptosmith@mastodon.social is the conversation one. @cryptosmith@infosec.exchange is the autoposting one. Now, maybe I need to use the…

  • Writing Nonfiction with ADHD

    [Revised 17 Dec 22] This post is inspired by Tessa Flattum’s post, “How to Write a Novel with ADHD.” I self-diagnosed my own ADHD after my son was diagnosed as a child. I’ve written three technical nonfiction books on cybersecurity. I agree with her general observations, but my own experience is a bit different. First,…

  • Telepathic Declassification

    Former President Trump recently suggested that the sitting President simply needs to “think” something is declassified in order to declassify it. Is there a cascade of increasingly formal ways to declassify? Perhaps: Think the information is declassified Tweet an order that the information is declassified Write up and sign a formal Presidential order to declassify…

  • Email Attack via a Recycled Domain

    A software engineering friend fell victim to an almost-successful attack on his Facebook account. The attacker seemed to have a database of email addresses and user physical locations (i.e. cities, states, small countries). If the email’s domain name wasn’t registered, the attacker constructed a domain registration and directed its email to a mailbox he controls.…

  • Cybersecurity for MSSE 2023

    MSSE second-year students may request a cybersecurity elective as course SENG 5271. If the course is not chosen to be an offered elective, students may take it as an independent study. In either case, the course is entirely online. The course provides a broad introduction, while focusing on the practical engineering aspects of cybersecurity. I…

  • Update: Tweeting Top Secret

    Back in the dark ages of the Trump presidency, the President tweeted this photograph. An earlier post examines the legality of a similar act (100% legal), and speculates about the potential damage to national security (none, really). Journalist Zach Dorfman of Yahoo News has posted an interesting article that quotes defense officials on the disclosure’s…

  • Online Course: Cloud Top Ten Risks

    I am pleased to report that the fourth course for the University of Minnesota in my online Cloud Cybersecurity specialization, Cloud Top Ten Risks, is now available for registration. The course itself should be running in a week or two, depending on internal processes at Coursera.

  • Cybersecurity for MSSE 2022

    I am offering an online cybersecurity elective to MSSE second-year students for 2022: SENG 5271. It uses my Cybersecurity in the Cloud specialization offered on Coursera, plus readings and labs from my textbook Elementary Information Security. The course and textbook focus on how technical measures relate to more abstract business and safety goals. We cover…